1. Field of the Invention
The present invention generally relates to information processing apparatuses, operation permission generating methods, operation permission generation determining method, operation permission generating program products and computer-readable recording media, and generation permission determining program products and computer-readable recording media, and more particularly to an information processing apparatus, an operation permission generating method, a generation permission determining method, an operation permission generating program product and computer-readable medium, and a generation permission determining program product and computer-readable recording medium, in which operation permission used to determine an operation permit with respect to a resource are generated.
2. Description of the Related Art
Conventionally, in order to conduct an access control with respect to a document management system, an operation permit list, which is called as an ACL (Access Control List), is set for each document or each group formed by a set of a plurality of documents, and a security rule, which shows which user is allowed access to which operation, is managed. However, since the ACL is managed inside each system (for example, the ACL is managed as management information in a document management database), it is difficult to apply a rule based on a standardized policy universally for a plurality of systems.
In order to maintain a consistency of the access control with respect to a resource such as a document or a like over a wider range in addition to a single system, Japanese Laid-open Patent Application No. 2003-150751 discloses that information (hereinafter, called “access control information”) concerning the access control in the plurality of systems is collected to a single security server, and each application determines each of various operations to permit based on an access control policy (security policy), which is unified in the security server. However, since an operation subject to control is different for an application, when the access control information is simply collected from the plurality of systems, the management information is not consistent. Accordingly, in the security server, the security policy is defined with a higher abstract degree. When a detailed determination is individually conducted, the access control is conducted by applying the most suitable policy description for each application in a policy description defining an access control for each abstract operation (for example, a process of “print out” and a process of “download to a local PC” determine based on a policy of “document output rule” whether or not their executions are permitted, respectively.
FIG. 1 is a diagram showing conventional definition contents of the security policy. As shown in a table 500 in FIG. 1, in the security policy, an operation is defined to be permitted or not (YES or NO) for each type (refer, print, edit, delete, and a like) of operations based on combinations of categories (related parties or outside parties) of subjects and categories (sensitivity levels) of resources (documents). In addition, contents of an obligation are shown in a row immediately under a row showing whether the operation is permitted. Accordingly, for example, referring to the table 500, related parties are permitted to refer to a secret document, but in this case, a log must be recorded. As described above, it is possible to comprehensively define each permission of various operations based on the combination of the categories of the subject and the categories of the resources. However, since the security policy is a common rule with respect to the plurality of systems, the contents of definitions tend to be fixed. Thus, it is difficult to flexibly correspond an exceptional event, which may occur in a routine work, (for example, a case in that an operation authority for a specific document is temporarily granted to a temporary employee).
On the other hand, the following method is considered. Instead of comprehensively defining access control information such as the security policy, by a configuration in that an operation authority is given corresponding to a progress of a business, every time a specific operation for a specific document is permitted to a specific user with an approval, data (hereinafter, called “permit”) showing that the specific operation is permitted is generated, and the access control is conducted based on the permit.
FIG. 2 is a diagram showing an example of a conventional permit. In a table 510 in FIG. 2, each row shows one permit. As shown in FIG. 2, the permit is formed by information of a subject user, a subject document, a subject operation, an obligation, a permit expiration, and a like. The subject user, the subject document, and the subject operation show a user, a document, an operation, which are subject to the permit, respectively. The obligation shows an obligation imposed when an operation allowed by the permit is conducted. The permit expiration shows expiration showing a date until the operation is allowed by the permit. The permit on the first row defines that related parties are allowed to print out any document (ANY) having any sensitivity level by Oct. 10, 2004. In this case, the permit also defines that it is required to record a log. In FIG. 2, the subject user and the subject document are specified by the categories of the user and the categories of the document shown in FIG. 1. For example, a user and a document can be subjects by specifying the subject user and the subject document by using a user ID and a document ID.
In a method using the permit, it is possible to realize a flexible access control so as to easily grant a necessary authority if necessary.
Since each permit is independently issued and is not generated based on a uniform rule, as a result of issuing the plurality of permits, subjects of some permits interfere with each other. For example, as compared the permit of the first row (hereinafter, called a “permit 1”) with the permit of the second row (hereinafter, called a “permit 2”), subject users of both permits are “related parties”, and the subject operations are “print”. Moreover, the subject document of “permit 1” is defined as “ANY” (all categories), so that a range of the subject document includes the subject document of “permit 2”. Accordingly, both permits are duplicated on a point of defining an print operation with a secret document of the related parties as the subject document. In this case, it becomes a problem to determine which definition should have a higher priority, or whether or not definitions of both permits are combined. For example, it is a problem to determine which one of obligations should be applied to an interfered portion or whether or not a logical addition of the obligations of both permits should be applied to the interfered portion.
It is assumed that a priority order is defined between the permits interfering with each other. FIG. 3 is a diagram showing a conventional case in that permits interferes with each other. In FIG. 3, three permits 510, 520, and 530 interferes with each other. That is, the permits 510 and 530 are duplicated in a range A, three permits 510, 520, and 530 are duplicated in a range B, the permits 510 and 520 are duplicated in a range C, and the permits 520 and 530 are duplicated in a range D. Accordingly, in these duplicated ranges, it is required to define a priority of the permits 510, 520, and 530.
However, if each of the permits 510, 520, and 530 are used as one permit unit and a priority order is defined by one permit unit, the priority order is fixed in each of ranges A, B, and C. For example, if the priority order is defined to be as an order of the permit 510, 520, and 530, the permit 510 has a priority in all ranges A, B, and C.